{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1529 - System Shutdown/Reboot",
    "\n",
    "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Shutdown System - Windows\nThis test shuts down a Windows system.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nshutdown /s /t 1\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Restart System - Windows\nThis test restarts a Windows system.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nshutdown /r /t 1\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Restart System via `shutdown` - macOS/Linux\nThis test restarts a macOS/Linux system.\n\n**Supported Platforms:** macos, linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nshutdown -r now\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux\nThis test shuts down a macOS/Linux system using a halt.\n\n**Supported Platforms:** macos, linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nshutdown -h now\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - Restart System via `reboot` - macOS/Linux\nThis test restarts a macOS/Linux system via `reboot`.\n\n**Supported Platforms:** macos, linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nreboot\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #6 - Shutdown System via `halt` - Linux\nThis test shuts down a Linux system using `halt`.\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nhalt -p\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 6"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #7 - Reboot System via `halt` - Linux\nThis test restarts a Linux system using `halt`.\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\nhalt --reboot\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 7"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #8 - Shutdown System via `poweroff` - Linux\nThis test shuts down a Linux system using `poweroff`.\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\npoweroff\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 8"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #9 - Reboot System via `poweroff` - Linux\nThis test restarts a Linux system using `poweroff`.\n\n**Supported Platforms:** linux\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `bash`\n```bash\npoweroff --reboot\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1529 -TestNumbers 9"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Decoy System \n Configure a computing system to serve as an attack target or experimental environment.   \n\n A decoy system is a computing resource presented to the adversary in support of active defense.  The underlying system can be real, virtual, or simulated, and can be presented as one of a variety of IT devices including user workstations, servers, networking systems, IOT (embedded devices), mobile systems like phones, etc.\n#### Opportunity\nThere is an opportunity to study the adversary and collect first-hand observations about them and their tools.\n#### Use Case\nA defender can deploy a decoy system to see if an adversary attempts to shutdown or reboot the device.\n#### Procedures\nUse an isolated system to visit a suspected compromised website.  Collect any associated scripting code or files dropped onto the system.\nSetup a server which appears to be something that is commonly expected within a network, such as web server."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}